Share this story

Welcome to Ars UNITE, our week-long virtual conference on the ways that innovation brings unusual pairings together. Today, we examine the inevitable, growing Internet of Things and the security concerns we'll all need to consider. Join us this afternoon at 1pm Eastern (10am Pacific) for a live discussion on the topic with article author Sean Gallagher and his expert guest; your comments and questions are welcome.

Even before there was a World Wide Web, there was an Internet of Things.

In 1991, a couple of researchers at the University of Cambridge Computer Lab set out to solve the problem of making fruitless quests through the building to a shared coffee pot in the Lab's Trojan Room. Using a video camera, a frame grabbing card, and a Motorola 68000 series-based computer running VME, they created a networked sensor that could show the current state of the pot. First configured as an X-Windows application, the Trojan Coffee Pot server was converted to HTTP in 1993, becoming one of the early stars of the Internet. It was soon joined by other networked sensors, including a number of hot tubs.

Today, millions of devices expose what they see, hear, and otherwise sense to the Internet. And thanks to cheap embedded systems, they don't need an old VME or Windows box to do it. Billions of other devices that defy the usual definition of "computer" are communicating over networks, almost entirely with other machines. These "Internet of Things" (IoT) devices send telemetry to and receive instructions from software both nearby and on far-flung servers. Software and sensors are controlling more of what once was done by humans, often more efficiently, conveniently, and cheaply.

This practice is changing how we interact with the physical world. We talk to our televisions and they listen, thanks to embedded sensors and voice processing chips that can tap into the cloud for corrections. We drive down the road and sensors gather data from our cell phones to measure the flow of traffic. Our cars have mobile apps to unlock them. Health devices send data back to doctors, and wristwatches let us send our pulse to someone else. The digital has become physical.

It has been only eight years since the smartphone emerged, introducing the new age of always-on mobile connectivity, and networked devices now already outnumber the people on the planet. By some estimates, within the next five years, the number of devices connected to the Internet will outnumber the people on the planet by over seven to one—50 billion machines, ranging from networked sensors to industrial robots.

Inexpensive computing power, cheap or free connectivity, and the relative ease with which new software and chips are making connecting will make it possible for governments, companies, and even individuals to collect detailed data from IoT devices and automate them in some way. It will be the things' Internet; we'll just be living in it.

But given the state of IoT today, that might be a bumpy tenancy if certain issues aren't ironed out now. Security, privacy, and reliability concerns are the main barriers to a sudden arrival of some singularity where we all live as happy cogs in an IoT machine world. So how will the human social order take to a world of persistent networked everything?

Plugging into the spew

An airplane being assembled at an Airbus facility. The company is developing "smart tools" that use local and network intelligence as part of its "factory of the future" initiative.

An Airbus worker alongside a two-armed robot. IoT-enabled tooling is being developed to help humans collaborate with robots without having to think about it.

This data overlay in a lab at GE Software is based on sensor data from Hydro Quebec, showing potential sites for outages based on weather data.

A redacted list of some IoT devices (in this case, Schneider Electric PLC industrial controls connected to Ethernet) visible to the naked Internet and catalogued by the Shodan search engine.

A prototype of GrowBox, an IoT hydroponic system that uses sensors to optimize growth of... tomatoes.

The US Army has developed networked sensors in helmets to measure concussive forces soldiers are exposed to in an effort to help protect them from brain injuries.

The promise of IoT is "smart" everything. Nest's Internet-connected Learning thermostat, Nest Cam surveillance camera, and Protect networked smoke alarm promise a more energy-efficient, safer home. IoT technology is a key part of the pitch for "smart cities," "smart buildings," "smart factories," and just about every other "smart" proposal from sensor manufacturers, networking companies, and big technology consultancies. Seemingly everyone is looking for a piece of the biggest potential collection of integration projects ever. Sometimes the "smart" is relatively close to the sensor itself, but it often relies on a remote cloud service or data center to process the information and control actions.

On the consumer side, while devices like Nest's get much of the attention, wearable IoT devices are just starting to take off—despite the relatively low impact so far of high-profile efforts like the Apple Watch. "The Apple Watch may be on a slower liftoff cycle than other recent Apple hardware launches, but it has a complex number of use cases which are finding their home, purpose, and meaning," said Mark Curtis, the chief client officer at Fjord, Accenture's design consultancy. Within the next two to three years, he predicted, wrist-based devices will lose the need to be tethered to a smartphone. "At the same time, interactions between wearables and nearables (e.g., beacons, Amazon Echo, connected cars) will grow."

The health field is the most immediate fit for wearables, because they can gather data that has a benefit without conscious human action. "A good example is our Fjord Fido diabetes platform," Curtis said. "It requires complex linking between devices and data but would not have been possible without a smartwatch."

Governments are especially interested in the analytical powers of IoT-collected data for all sorts of reasons, from tuning services at the most basic levels to understanding how to respond in an emergency—as well as collecting revenue. Traffic lights and even pedestrian crossing buttons could be used as networked sensors, said Michael Daly, chief technology officer for Raytheon Cybersecurity and Special Missions. "You could see how many times is this being used and how long people are waiting to cross, then adjust traffic flow accordingly," he said.

Industry is equally interested in the data that can be tapped into by IoT, and more companies are examining the benefits of using the embedded intelligence and network connectivity of IoT devices to improve their own systems and products. In most of these applications, National Instruments Executive Vice President Eric Starkloff told Ars, companies are most interested in instrumenting their operations, "looking for events that are a warning of impending failure" in systems or squeezing additional efficiency out of their operations. So far, only a small fraction of industrial systems have network-based telemetry gathering, and Starkloff said that the greatest opportunities for growth over the next five years are in "brown field" applications. These are instances of simply upgrading or enhancing existing hardware in factories, refineries, office buildings and other physical plants with IoT goodness.

Manufacturing companies have been among the earliest adopters of IoT. General Electric has pushed forward its own massive internal investment in IoT technology to collect analytic data from everything from gas turbine engines to locomotives. IoT is also part of the "factory of the future" concept embraced by aircraft manufacturer Airbus, where National Instruments is helping the company put "smart IoT technologies into their smart tooling and robotics systems that work alongside human operators," according to Starkloff.

Airbus' IoT interest is as much about ensuring the precision of the company's manufacturing as it is about sensing potential problems. "Today they put planes together mostly manually," Starkloff said. "They want to move to the point where tools are intelligent—where a tool knows whether a rivet was put in correctly." To do that, the analytics tracking system performance "has to be close, not up in cloud," he explained. "They need devices communicating locally—smart tooling connected to smart wearables, such as glasses with a heads-up display."

In a way, Airbus' vision mirrors one that Boeing attempted in the 1990s with augmented reality (one the company has continued to invest in ever since). It's also similar to some of the methods of tying IoT technology to augmented reality visualization we saw at GE Software earlier this year, where technicians could be directed to equipment needing service in a manufacturing environment and stepped through the process with visual cues. But Airbus' setup also includes using IoT technology to communicate between human operated tools and robotic systems, passing data over a local network to allow machines and humans to work collaboratively.

The Department of Defense has similar designs on IoT, though the systems that the DOD wants to enhance are often soldiers themselves. Embedded and wearable systems are turning soldiers into nodes on the DOD network, both to enhance their battlefield performance and to track their well-being. Aside from the work on autonomous drones and other sensors, the Army has developed networked helmet sensors that can help detect the severity of concussive blows (a bit of tech that the NFL has moved to adopt as well). The military, through a number of DARPA projects and other labs, continues to develop wearable technologies that will allow soldiers to interact with other systems.

At a recent conference sponsored by the Army's Training and Doctrine Command (TRADOC), scientists discussed the possibility of "implanted" sensors that could communicate what a soldier was doing without the soldier having to consciously communicate it. Thomas F. Greco, director of intelligence at TRADOC, said that IoT technology coupled with wearable sensors could result in a "precision of knowing," reducing ambiguity on the battlefield and allowing commanders to have absolute knowledge of what troops were doing. But he also said that having that kind of data could affect the order and discipline of soldiers. "Ambiguity is a kind of lubricant in personal relationships," he said, wondering how that would change "when you have total knowledge and accountability."

Share this story

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat

116 Reader Comments

It'll be a cold day in hell before I let any of these "IoT equipped" appliances and devices connect to my Wi-Fi network. None of my appliances are internet equipped right now, but if any of them are in the future, they sure as shit won't be interconnected.

Hardware device makers absolutely suck at implementing software properly - they literally can't be trusted. It's why I still use HTPCs and Rokus instead of the crap that comes bundled in with "Smart TVs."

So, the year of IoT is just around the corner? This has been predicted for a long long time, but while there will be more and more things online, assuming it is going to be everywhere is kind of silly.

For those who spew out security flaw riddled IOT devices anyway: Go bankrupt in a hurry please.

It's even worse than that: there are some exceptions; but for far too many consumer 'IoT' devices, half the fun is the device offering its vendor and their 'trusted business partners' permanent inside access for 'analytics' or whatever the word of the day is.

If they fail to secure it; it'll be spying on you and trying to sell you stuff both by design and because of script kiddies. If they succeed in securing it, it'll be spying on you and trying to sell you stuff by design; and you won't even be able to reflash it.

Really, it's hard to be adequately pessimistic about 'IoT' without resorting to such histrionic grimness that you start to sound like you are writing flavor text for warhammer 40k.

For my new house, the gas heater (with integrating solar heating circuit) and the ventilation equipment will all be LAN capable and LAN configurable. Also their respective sensors can be hooked up via LAN.

The annoying thing for me is the excess or redundancy of functions. I don't want to be able to connect to the internet through my TV, watch, car, fridge, coffee pot, toaster, etc... I just want my appliances to do one thing, and do it well.

When everything does everything, that's not a convenience, it's a clusterfuck.

For those who spew out security flaw riddled IOT devices anyway: Go bankrupt in a hurry please.

The problem is that most IoT vendors will simply slap some RAM and a low performance IC onto a PCB and install some sort of *nix with Apache and then NEVER EVER touch that damn thing again.

Unfortunately, there is not a single lightweight protocol available that will allow a self-organizing wireless mesh network to be connected to the internet in a secure way. The main idea is that the IoT device will be very simple and offer as little attack surface as possible. It will merely build a secure VPN tunnel to the cloud servers and send raw data to the cloud. The cloud is then responsible for processing, archiving and displaying data.

Call me a Luddite, but I'll tear the microphones and cameras out of hardware before I'll accept devices that listen and can't be turned off. I don't want smart appliances and Smart TV is a contradiction in terms. I had to lock Siri out in iOS 9 permissions just to get the microphone button off the iOS9 default keyboard, but if that's what it takes, fine.

Until companies demonstrate they can secure these devices and actually offer meaningful value, I'm not interested.

For those who spew out security flaw riddled IOT devices anyway: Go bankrupt in a hurry please.

It's even worse than that: there are some exceptions; but for far too many consumer 'IoT' devices, half the fun is the device offering its vendor and their 'trusted business partners' permanent inside access for 'analytics' or whatever the word of the day is.

If they fail to secure it; it'll be spying on you and trying to sell you stuff both by design and because of script kiddies. If they succeed in securing it, it'll be spying on you and trying to sell you stuff by design; and you won't even be able to reflash it.

Really, it's hard to be adequately pessimistic about 'IoT' without resorting to such histrionic grimness that you start to sound like you are writing flavor text for warhammer 40k.

It's even worse than that: there are some exceptions; but for far too many consumer 'IoT' devices, half the fun is the device offering its vendor and their 'trusted business partners' permanent inside access for 'analytics' or whatever the word of the day is.

If they fail to secure it; it'll be spying on you and trying to sell you stuff both by design and because of script kiddies. If they succeed in securing it, it'll be spying on you and trying to sell you stuff by design; and you won't even be able to reflash it.

Really, it's hard to be adequately pessimistic about 'IoT' without resorting to such histrionic grimness that you start to sound like you are writing flavor text for warhammer 40k.

Pretty much nailed my viewpoint and love the 40K reference.

1) Security - There really needs to be a gateway period. 10s, 100s or thousands of devices connecting per household without some sort of firewall or airgap is just bad news.

2) Encryption - Strong encryption needs to be at the heart of these devices, especially anything that has a wireless signal of any sort.

3) Privacy - I don't really mind if anonymized occupancy data is mined by an advanced room by room heating and cooling system which is then optimized for comfort and cost by a vendor. I do mind if easily identifiable data is kept in parallel, sold to the lowest bidder and handed over to the NSA and local law enforcement without even the slightest fight.

Honestly I want a smart home to take the mundane off of my mind and to reduce waste or even make my home safer. Shopping lists, multiple grocery store runs, too hot rooms, too cold rooms, running the A/C when outside air could be used to cool or heat. These are just a few of the things that need to not be things anymore. There just needs to be few compromises in my security and privacy.

On the consumer end, I think the iOT devices are really just going to be another stream for revenue and advertising.

We can already see this with that Amazon push-button thing, or in the recent reviews on Ars of the home video camera devices that require subscriptions to use all the features.

I can see a day when I pull some milk out of the fridge, and it announces: "Customers who drank milk today, also ate cookies, and you can get two for one from WallZon for a limited time! Would you like me to order some?". Or maybe you will need to pay a subscription if you want to check the contents of the fridge from your smartphone while you are at the grocery store.

In this area, I think iOT will be of more benefit to the seller than to the consumers.

For those who spew out security flaw riddled IOT devices anyway: Go bankrupt in a hurry please.

It's even worse than that: there are some exceptions; but for far too many consumer 'IoT' devices, half the fun is the device offering its vendor and their 'trusted business partners' permanent inside access for 'analytics' or whatever the word of the day is.

If they fail to secure it; it'll be spying on you and trying to sell you stuff both by design and because of script kiddies. If they succeed in securing it, it'll be spying on you and trying to sell you stuff by design; and you won't even be able to reflash it.

Really, it's hard to be adequately pessimistic about 'IoT' without resorting to such histrionic grimness that you start to sound like you are writing flavor text for warhammer 40k.

Joking aside, the security/privacy implications of IoT is what concerns me. I have considered doing some sort of home automation, but if I ever follow through with that, the only way to get into any of my networked devices will be a hard-wired Ethernet cable. The network will be air-gapped from any other networks. If a device doesn't have an Ethernet option, and cannot run without being connected to the outside world, that's no option for me. If I purchase a smart device, I don't think I should have to expect to be tracked or shown ads. These devices are not a service. They are individual, one-time purchases for my personal use, however I want.

Although I could just get off the couch and go look at what's in my fridge. That's just not as much fun as programming an automatic grocery list generator. Maybe I'll take my "dumb" devices and roll my own.

The idea behind IoT is fantastic. I want as many things as possible to have networked sensors, monitoring and control. The current implementation is moronic. Having every device talk to a remote server by exposing itself to the internet is an incredibly, monumentally bad idea. These things need to be on their own isolated VLAN (a physically different network is overkill), with a dedicated gateway tasked with collating data and acting as a secure interface. That brings the attack surface down from "the barn door opened a decade ago" to something more reasonable to secure.

What kills me the most is the fact that everyone thinks EVERYTHING needs to be connected to the outside world. If the issue with the Jeeps has shown us one thing it is the fact that everything does NOT need to be connected to the outside world. You know darn well that after a few years the manufacturer will stop release updates and suddenly a product that worked just fine will cease to function. Or something will require you to have a subscription to use all of the features. If I buy a big product (coffee pot, microwave, garage door opener, etc.) I will only pay for that once. I will not pay a yearly fee to access to some app so I can remotely view my device.

Give me a way to host it on my own server inside my home and I'd be a bit more OK with it. I'll gladly VPN home and use a local server. At least then I have some control over the security.

Personally, I don't want any of it, simply because I don't need any of it. But, so long as what ever IoT appliance makes it into my home does its job without a net connection, I will live with it. However, if it turns out that my toaster/fridge/stove/tv/toilet/whatever won't work unless it has a constant connection, then we have a huge problem.

In 1991, a couple of researchers at the University of Cambridge Computer Lab set out to solve the problem of making fruitless quests through the building to a shared coffee pot in the Lab's Trojan Room.

And I'm sure there's a reader out there who recalls more details than I, but in 1984 CMU had a Coke machine on the internet that let you know which slots were empty, or had the coldest bottles.

Tiny quibble regarding the opening paragraph: VME was not an operating system, it was a bus architecture used with Motorola 68000 hardware in the 80s. So it wouldn't be "a Motorola 68000 series-based computer running VME" or a "an old VME or Windows box" anymore than IBM PCs "ran ISA". That VME-bus was used in various workstations of the era, but was also common in industrial control and prototyping systems. The coffee pot probably ran some RTOS. There were several popular ones in that era.

I'll destroy, disable, or otherwise thwart any communications abilities of my appliances until the only thing they CAN do is what I *WANT* them to do. My house will be a giant Faraday Cage with the only signals going in or out being done via the hardlines, not WiFi; a FibreOptic line will be able to handle the data & voice needs for internet & phones, thus leaving the house an IOT blackhole. I will wear clothes with Faraday Cages built into the fabric to thwart any signals getting through, & store my cellphone in an EMP Hardened case with a fuse/surge protected external antenna. Finally, I'll be the guy walking down the street as a mobile EMF Jammer to screw with all the IOT around me, JUST because I loathe the very concept of a trillion electronic sensors tracking my every blink, fart, cough, heartbeat, & crotch scratch. The collective invasion of privacy isn't worth the IOT as it stands. Until & unless they secure the communications, the data being collected, and give We The People a way to render ourselves invisible to such IoP from the IoT, then I want nothing to do with the damned thing.

Too many manufacturers utterly fail at (A) proper security protocols, and (B) maintaining support for any products older than their current models. With IoT products making it more and more mainstream, it is NOT going to take long before certain entities with less than altruistic intentions take full advantage of these facts.

For those of us who are interested in bringing networked devices to our homes, I'm curious whether there is a set of best practices beyond "keep them up to date" and "strong passwords". For example, is there prosumer (or even SOHO) networking gear that we should consider using with a certain set of rules? In my case, there's three VLANs - devices that have access only to the internet (Xbox, PS, Nest), devices that only have access to the internal network (security cameras, connected printers) and devices that have access to both (desktops, phones).

That article on Ubiquiti done by the gun-obsessed guy would have been a nice place to start expanding the discussion to best practices or recommended hardware or whatever. I'd love to see a series on that.

I am entirely pessimistic about the IoT devices.The primary motivating factor for manufacturers is going to be spying and accelerated obsolescence. For example, typically consumers use TVs for over a decade, same with Refrigerators and other appliances. With IoT devices can be forced obsolete much earlier.Security will be a never solved problem and I would bet big money that no one will be offering updates for anything past a year or two, if that. That expensive Nest you replaced your 30yo thermostat with will be out of date and need replacing inside of 3 years for sure.The IoTs is for suckers.

"Embedded and wearable systems are turning soldiers into nodes on the DOD network, both to enhance their battlefield performance and to track their well-being."

This is where we lose humanity. This is where we lose sight of what makes us who we are.Sure, I get that soldiers are a "special case" where the military wants them to behave as a unit, and "be all that they can be," but at the end of the day, they are still human beings, just like the rest of us.

As for the advancements in ever-shrinking antennae, circuitry, and ubiquitous connectivity, "just because you can" has never been a great idea. Even if it's all encrypted, on its own separate VLAN, connected to its own "internet 3" network, it's worth asking - "who watches the watchers."

Benign as much of it may well be, we'll see more loss of humanity, as well as further losses of privacy with more and more of these little nodes tapping into more aspects of our existence.

It'll be a cold day in hell before I let any of these "IoT equipped" appliances and devices connect to my Wi-Fi network. None of my appliances are internet equipped right now, but if any of them are in the future, they sure as shit won't be interconnected.

Hardware device makers absolutely suck at implementing software properly - they literally can't be trusted. It's why I still use HTPCs and Rokus instead of the crap that comes bundled in with "Smart TVs."

I feel the same. It does help, however, that I have a WiFi AP that supports VLANs and a firewall. So, if I really wanted to, I could stick them all on a segregated network.